TeamViewer discovered that a threat actor has breached its corporate network and some reports attribute the intrusion to the Russia-linked APT group APT29<\/a> (aka\u00a0SVR group<\/a>,\u00a0BlueBravo<\/a>,\u00a0Cozy Bear<\/a>,\u00a0Nobelium<\/a>,\u00a0Midnight Blizzard<\/a>, and\u00a0The Dukes<\/a>). <\/p>\n\n\n\n
“A comprehensive taskforce consisting of TeamViewer\u2019s security team together with globally leading cyber security experts has worked 24\/7 on investigating the incident with all means available. We are in constant exchange with additional threat intelligence providers and relevant authorities to inform the investigation.” reads the statement<\/strong><\/a> published by the company.<\/em><\/p>\n\n\n\n
“Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29<\/a> \/ Midnight Blizzard<\/a>. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data.”<\/em><\/p>\n\n\n\n
The popular Ars Technica reporter Dan Goodin reported<\/strong><\/a> that an alert issued by security firm NCC Group reports a “significant compromise of the TeamViewer remote access and support platform by an APT group.” <\/p>\n\n\n\n
In May 2019, the German newspaper Der Spiegel revealed<\/strong><\/a> that the German software company behind TeamViewer was compromised<\/a> in 2016 by Chinese hackers.<\/p>\n\n\n\n
According to the media outlet, Chinese state-sponsored hackers used the Winnti<\/a> trojan\u00a0malware to infect the systems of the Company.
The\u00a0Winnti group<\/a>\u00a0was first spotted by Kaspersky in 2013, according to the researchers, the nation-state actor has been active since at least 2007.<\/p>\n\n\n\n
\u201cIn autumn 2016, TeamViewer was target of a cyber-attack. Our systems detected the suspicious activities in time to prevent any major damage. An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way.\u201d said<\/a> company spokesman.<\/em><\/p>\n\n\n\n
At the time the company published a statement to exclude it was breached by hackers:<\/p>\n\n\n\n
\u201c<\/em>G\u00f6ppingen\/Germany, May 23, 2016.<\/em><\/strong>\u00a0A recent article warns, \u201cTeamViewer users have had their bank accounts emptied by hackers gaining full-system access\u201d. TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer\u2019s side.\u201d\u00a0<\/em>wrote\u00a0<\/em><\/a>the company.<\/em>
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, APT)<\/strong>